Trend Report: Unified Threat Management

Visualize going through airport security. You step up to one guy who scrutinizes your boarding pass and license. Once he waves you by, you're immediately stopped by a rent-a-cop with a metal detector. Passing the scan without clicks or beeps, you're clear to walk 4 feet before a bag-check line halts your progress. Then you wait as guards search someone's grandmother for explosives.

That reality is similar to what happens to a packet when it enters a heavily secured network. With an increasing number of systems inspecting traffic for unauthorized access, malware, attacks, data leakage, spam, and more, there's a lot of credential checking and scrutinizing going on--and a lot of cash being spent on multiple security devices. Replace all those checks and searches with a multifunction entity empowered to move you directly from the curb to the plane, and you have the concept of unified threat management, or UTM.UTM products are available for all sizes of networks. Though they're predominantly associated with small and midsize enterprises, sales range from very small networks to very large, dispersed organizations. Distributed enterprises will want to deploy multiple UTM products, and that means management issues. Fortunately, most vendors support platforms for administering a far-flung network of UTM devices and for integration into existing security suites. While it was no surprise that larger companies with an established security presence, including Check Point Software, Cisco Systems, IBM, and Juniper Networks, integrate UTM devices into their overall security portfolios, we were pleased to see some vendors without larger comprehensive security suites, including Astaro, Cyberoam, Fortinet, Secure Computing, SonicWall, and ZyXel, also making sure to address multiple device management and security technology integration. For a comprehensive rundown of UTM offerings, including price and capabilities, download the comparsion chart.Speaking of cost, one interesting facet of the UTM market is that a number of appliances integrate open source components under the hood. This approach has certainly benefited consumers by producing many lower-cost appliances that encourage competition. On the flip side, however, you need to watch for changes in GPL licensing.

(click image for larger view)

COG IN A MACHINE
Many of the advantages of integrating security functions into a single device are obvious: reduced cost, consolidated reporting, a consistent interface, simplified network architecture, and ease of management. In fact, these trends are also driving consolidation of the endpoint security suite market, as we discuss in "Eating The Elephant". On the desktop, antivirus products have become the commodity around which other features continue to be added, while on the network the firewall has taken that position.There are less obvious benefits, too. Take the push toward green computing: Consolidation doesn't only mean virtualization. Reducing the number of security devices by way of unified threat management is another way to save on that power bill. For more mature products in the space, UTM--yes, we're saying this without sarcasm--provides synergy. For example, an antivirus module, an anti-spam module, and a content-filtering module might all share the same database of known bad URLs that each would apply appropriately. Fortinet maximizes this integrated approach; its entire platform was designed around UTM from the ground up, and the company maintains all its own modules and signature databases, which is rare among UTM vendors.Of course, putting all the animals under one roof does have negatives. It's unlikely that any single UTM product will embody the best of each of its parts. For example, with the exception of Check Point, IBM, and Juniper, whose UTM devices integrate technologies from their top-pedigree intrusion-prevention systems, most UTM IPS functionality won't measure up to standalone intrusion-prevention systems in terms of features and depth of detection and prevention. Likewise with some antivirus and anti-spam functionality.Then there are marketing claims. New laptops never get the battery life that vendors promise, nor do pricey brands of beer elicit instant adoration from the opposite sex. In the case of UTM, it might be useful to have a couple kilos of salt on hand when meeting with vendor reps. It's hard enough to quantify bandwidth claims in standalone evaluations of security products, but in devices with a half-dozen or more separate parsing modules, expect actual performance under real-world networking conditions with all modules turned on to be drastically different from claimed numbers. Many products feature hardware acceleration for this exact reason, but without trying a product on your network with your desired options, you can't know for sure that it will stand up.Another potential unification pitfall is the concept of consolidating your security eggs in one place. Not only does this introduce a single point of failure for network gateway protection, but there's a movement afoot to distribute security for greater effectiveness, rather than consolidate (see "Forum Sounds The Trumpets For Defense In Depth").OPEN SOURCE DEBATE
Some UTM products began as interfaces to a collection of open source technologies--grab Snort for intrusion-detection and -prevention systems, ClamAV for antivirus, and IPTables/Netfilter for firewall, and you have all the required ingredients of a UTM. Add a bit of glue, an interface, and a reporting mechanism, and go to market.SmoothWall sells exactly this and makes no attempt to hide that fact. Even its interface is open source and available freely. Customers benefit, as is obvious from our comparison chart. The SmoothGuard 1000 costs anywhere from half to a third as much as competing products to protect the same size network, at $5,000 to guard as many as 1,000 nodes. In contrast, Check Point's price for 1,000 nodes is $15,500. Astaro also readily admits to using open source to bootstrap areas of its UTM product, which starts at $1,200, though it claims an overall best-of-breed approach, citing a recent switch from the open source Squid HTTP proxy to an internally developed one.Some vendors denigrate competing products that are based on open source technology, but the fact is, open source software is inherently neither better nor worse than proprietary code. Indeed, for any company with finite resources trying to implement an all-in-one UTM approach, it makes good sense to devote financial resources to proprietary software where it's needed most based on a risk assessment and fill in with open source where appropriate.However, there are a few issues to be aware of when deciding between open and proprietary unified threat management. First, licensing changes can affect future versions. Tenable Network Security changed the licensing for the popular Nessus vulnerability scanner, for example, when moving from version 2.0 to 3.0, though it's worth noting that this was possible only because all, or nearly all, of the 3.0 development had been done by programmers employed by Tenable. And licenses for previous versions can't be revoked.Another issue is the GPL derivative works clause. Most earlier interpretations said a program was not considered derivative if it interfaced to a compiled version of the application. In other words, taking Snort and wrapping a Web interface around configuration, management, and output data was not a derivative work such that the entire application needed to be GPL licensed, as long as the original application was not modified. This convention is not held by all open source authors, however. Nmap and Snort now explicitly require licensing of any applications that use their apps in ways that may affect UTM vendors, such as including source or data files, or wrapping them in an installer.Snort is commonly used by the UTM vendors that we spoke with, but only Astaro is listed as an integrator on Sourcefire's Web site. Other companies may either be planning on not using the 3.0 line of the product or have a private licensing agreement with Sourcefire, which wouldn't comment on the specifics of who licenses what.YEAH, IT'S IN THERE
When IDC analyst Charles Kolodgy in 2004 coined the term "unified threat management security appliance," he wasn't so much creating a new class of product as he was enunciating a trend. Firewalls were adding a variety of features, and Kolodgy's original UTM definition required a product capable of firewall functionality, intrusion detection and prevention, and antivirus scanning, from one integrated device. Today's UTM products comprise these features and many others. Here's a rundown:

Firewalls: This ubiquitous security product has fallen from favor lately. However, in a true default-deny deployment, a firewall is still a solid security move, and the firewall origin of UTM devices illustrates their appropriate deployment model: Anywhere the network is well enough understood to deploy a firewall is likely a good place to apply other security features. Moreover, firewall vendors haven't stood still. The latest iteration of the firewall philosophy sees concepts once applied to Layers 1 to 3 of the OSI network model targeted across the entire stack, allowing rules to be applied to data and applications regardless of port or protocol.Intrusion-detection and -prevention systems: While the philosophies behind IDS and IPS are subtly different--or should be, anyway--their value over a traditional firewall centered on the ability to peer inside packets, as opposed to just basing security decisions on packet headers. Unfortunately, an IPS represents a default-allow: Rules are created to block attacks, vulnerabilities, or other suspicious behavior, but otherwise everything gets through.While much malicious traffic can be mitigated with a properly tuned IPS, in general, IDS/IPS vendors have had a difficult time keeping up with the shift from server attacks to client-side exploits. Network gateway intrusion-prevention systems suffer from a perspective problem: Attacks that don't simply target the network socket are difficult to detect. For example, a browser plug-in exploit can be sent inside encrypted JavaScript that's compressed inside HTTP content encoding that is encrypted inside of an SSL transaction. Without software running on the endpoint or the ability to perfectly emulate an endpoint--something no network IPS is capable of--there's no reliable way for an IPS to stop this type of attack.Antivirus: The original UTM definition included gateway antivirus, which typically meant SMTP and HTTP scanning. Some products extended their protections into peer-to-peer protocols, file transfer protocols, or chat clients. There's no such thing as a pure antivirus feature in recent UTM products; instead, anti-spyware, anti-spam, and anti-malware features are all represented. The latest technologies use behavioral scanning to implement checks on files being transferred to identify potential threats without relying on a static fingerprint database. Of course, whether detection is behavioral or signature-based, it's still an example of a default-allow policy.As the UTM space evolved, products gained a variety of features besides these "big three," including:Network infrastructure capabilities: Given the philosophy behind UTM and the already common trend toward integrating other network features such as VPNs into firewall products, many UTM devices are also fully functional network-infrastructures-in-a-box. They may include such features as NAT, quality of service, or VPN. The VPN functionality in UTM products includes site-to-site as well as SSL or other client-server VPN technologies that let remote employees access internal resources.Content filtering: Usually associated with Web-content filtering via a URL blacklist service (one of many UTM features that requires a subscription license for updates), content filtering is often touted as a productivity increaser. Of course, savvy users almost always find ways to get access to the content they want to view.

DIG DEEPER

THE END GAME

of all threat management is to prevent data loss. To find out from Jordan Wiens how to thwart thieves,

Data-leakage prevention: DLP products have been all the rage these past few years; look for them to continue to merge into traditional UTM staples. A number of products now have some simple data-leakage mechanisms, like e-mail keyword filtering or blocking of attachments in e-mail, but IBM's Proventia line is ahead of the curve, boasting a full-featured set of DLP capabilities.Network access control: While NAC--or admission control, depending on who's selling it to you--can be hard enough to define even when not mixed in with dozens of other capabilities, it makes sense for products that are doing everything else security related on the network to control access, enforce endpoint compliance, or integrate with other NAC systems. SonicWall's forced antivirus checks are an example of baby steps in that direction.Identity-based access control: IBAC is another relatively new security technology for network gateway products. Operating systems, applications, and other devices have used the idea of authentication and authorization since the beginning of computing history. Applied to network gateways, however, it's a relatively new approach. Cyberoam makes this identity-based protection a cornerstone feature of its UTM line.